3 This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining
4 source of OpenLDAP look at <http://www.openldap.org>. OpenLDAP SDK in turn
5 depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries.
7 See also: http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
9 It's not up to date, though. For example, you do NOT have to edit
10 the "dictionary" file.
14 The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
15 should edit the file and add any new mapping which you need. The schema files
16 is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes
17 the ldap server schema should be updated. All ldap entries containing radius
18 attributes should contain at least "objectclass: radiusprofile"
20 radiusCheckItem and radiusReplyItem are special. They allow the administrator
21 to add any check or reply item respectively without adding it in the ldap
22 schema. The format should be <ldap-attribute>: <radius-attribute> <operator>
25 ie radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
29 Add following subsection to the modules{} section of radiusd.conf to control
36 # server: LDAP server hostname/ip address
38 # Optionaly could contain space separated list of host[:port], but
39 # redundancy/resiliency is better acheived configuring multiple rlm_ldap
40 # module instances and invocing them in redundand/failover
41 # configuration in authorize/authenticate sections
43 # You can also pass an ldap url like ldap://localhost
44 # That way you can also specify alternative ldap schemas like
45 # ldaps:// or ldapi://
46 # The port directive will be ignored in that case
48 # default: settings for your system, as set in etc/openldap/ldap.conf
52 # port: LDAP server port
54 # If LDAP server port is set to 636 (ldaps), SSL connection is enforced.
55 # This feature is useful for LDAP servers which support SSL, but don't
56 # do TLS negotiation (like Novell eDirectory).
62 # net_timeout: # of seconds to wait for response of the server (network
63 # failures) default: 10
67 # timeout: # seconds to wait for LDAP query to finish default: 20
71 # timelimit: # of seconds server has to process the query (server-side
72 # time limit) default: 20
76 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
77 # default: 0x0000 (no debugging messages)
78 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
81 # identity: DN under which LDAP searches are done password: pasword
82 # which authenticate this DN default: anonymous bind, no password
83 # required NOTE: searches are done now over unencrypted connection!
85 # identity = "cn=admin,o=My Org,c=UA" password = mypass
88 # ldap_connections_number: The number of ldap connections that the
89 # module will keep open to use in requests. Usually it will not need to
90 # be larger than 5-10 connections default: 5
92 ldap_connections_number = 5
94 # basedn = <Base of LDAP searches>
96 basedn = "o=My Org,c=UA"
98 # filter: LDAP search filter, to locate user object using name supplied
99 # by client during Radius authentication
101 # default: filter = "(uid=%u)"
103 # base_filter: The LDAP search filter used for base scope searches, like
104 # when searching for the default or regular profiles
106 # deafault: base_filter = "(objectclass=radiusprofile)"
110 # start_tls: When set to "yes" the StartTLS extended operation is used to
111 # start TLS transport encryption.
114 # tls_mode: When set to "yes" OR the server port is 636 we try to connect with TLS
115 # Start TLS should be prefered, tls_mode is provided only for ldap servers
116 # like Active Directory which do not support it.
121 # tls_cacertfile: A PEM-encoded file that contains the CA Certificates that
123 tls_cacertfile = /path/to/cacert.pem
125 # tls_cacertdir: Path the a directory of CA Certificates that you trust, the
126 # directory must be in "hash format" (see openssl verify)
127 tls_cacertdir = /path/to/ca/dir/
129 # tls_certfile: The PEM Encoded certificate file that we should present to
131 tls_certfile = /path/to/radius.crt
133 # tls_keyfile: The PEM Encoded private key that we should use to encrypt the
135 tls_keyfile = /path/to/radius.key
137 # tls_randfile: A file containing random data to seed the OpenSSL PRNG. Not
138 # needed if your OpenSSL is already properly random.
139 tls_randfile = /path/to/rnd
141 # tls_require_cert: Certificate Verification requirements. Can be "never"
142 # (don't even bother trying), "allow" (try, but don't fail if the cerificate
143 # can't be verified), or "demand" (fail if the certificate doesn't verify.)
144 # The default is "allow"
145 tls_require_cert = "allow"
147 # default_profile: DN of a LDAP object, which contains default RADIUS
148 # attributes. default: NULL - use only user specific attributes or
149 # attributes, supplied by other modules.
151 default_profile = "cn=RadProfile,o=My Org,c=UA"
153 # profile_attribute: user object attribute, which contains DN of
154 # radiusProfile object for this user. default: NULL - use only user
155 # specific attributes or attributes, supplied by other modules.
157 # profile_attribute = "radiusProfileDn"
159 # access_attr_used_for_allow: Define if the access attribute (described
160 # below) will be used to allow access (meaning if it exists then user
161 # remote access will be allowed) or to deny access. default: yes - used
164 # access_attr: if attribute is specified, module checks for its
165 # existance in user object. If access_attr_used_for_allow is set to
166 # yes: If it exists the user is allowed to get remote access. If it
167 # exists and is set to FALSE the user is denied remote access. If it
168 # does not exist user is denied remote access by default if
169 # access_attr_used_for_allow is set to no: If it exists the user is
170 # denied remote access. If it does not exist user is allowed remote
173 # default: NULL - don't check for the attribute
175 access_attr = "dialupAccess"
177 # password_header: If the user password is available we add it to the
178 # check items (to assist in CHAP ie) striping any headers first.
179 # NOTE: The password_header directive is NOT case insensitive
182 # password_header = "{clear}"
184 # password_attribute: Define the attribute which contains the user
186 # While integrating FreeRADIUS with Novell eDirectory, set
187 # 'password_attribute = nspmpassword' in order to use the universal
188 # password of the eDirectory users for RADIUS authentication. This will
189 # work only if FreeRADIUS is configured to build with --with-edir option.
191 # default: NULL - don't add password
193 # password_attribute = "userPassword"
195 # password_radius_attribute: Defined the RADIUS attribute where the extracted
196 # user password will be stored to. Can be used to set it to NT-Password or any
197 # other similar attribute instead of the default
199 # default: User-Password
201 # password_radius_attribute = "NT-Password"
203 # edir_account_policy_check: Specifies if the module has to enforce
204 # Novell eDirectory account policy check and intruder detection for
205 # RADIUS users. This will work only if FreeRADIUS is configured to build
206 # with --with-edir option.
208 # default: yes - eDirectory account policy check enabled
210 # edir_account_policy_check = no
212 # groupname_attribute: The attribute containing group name in the LDAP
213 # server. It is used to search group by name.
215 # default: cn - Search filter is "(cn=%GroupName)"
217 # groupname_attribute = "cn"
219 # compare_check_items: Specifies if the module will do a comparison on
220 # the check items extracted from the ldap with the corresponding items
221 # present in the incoming request.
223 # default: no - don't do any comparisons
225 # compare_check_items = yes
227 # do_xlat: Specifies if the module will do an xlat on the radius attributes
228 # extracted from the ldap database. Also the attribute operators will be
229 # honored. If the directive is set to 'no' then we will fall back to the
230 # pairadd() function which will just add the attributes at the end of the
231 # corresponding attribute list (check or reply items). This can be used to
232 # fall back to 0.8.1 behaviour without changing the ldap data or to gain a
233 # little performance if the ldap data is rather simple (no special operators)
235 # default: yes - do an xlat and honor operators
240 # groupmembership_filter: The filter to search for group membership of a
241 # particular user after we have found the DN for the group.
243 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
245 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
248 # groupmembership_attribute: The attribute in the user entry that states
249 # the group the user belongs to. The attribute can either contain the
250 # group name or the group DN. If it contains the group DN
251 # groupmembership_attribute will also be used to find the group's name.
252 # The attribute will be used after a search based on the
253 # groupname_attribute and groupmembership_filter has failed. default:
254 # NULL - don't search for a group based on attributes in the user entry.
256 # groupmembership_attribute = "radiusGroupName"
260 NOTE: As LDAP is case insensitive, you should probably also set "lower_user =
261 yes" and "lower_time = before" in main section of radiusd.conf, to get limits
262 on simultaneous logins working correctly. Otherwise, users will be able get
263 large number of sessions, capitalizing parts of their login names.
265 MODULE MESSAGES: On user rejection rlm_ldap will return the following module
268 "rlm_ldap: User not found" "rlm_ldap: Access Attribute denies access"
269 "rlm_ldap: Bind as user failed"
271 These messages will be visible in radius.log as aditional information in
272 "Login incorrect" and "Invalid user" log messages.
274 LDAP XLAT: The ldap module now supports LDAP URLs in xlat strings. That is you
275 can now add LDAP URLs in the configuration options and hopefully shortly also
276 in the users file. The strings will be of the following form:
278 %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
280 The requested attributes list MUST contain only ONE attribute. In case this
281 attribute is multi valued which value is returned is considered UNDEFINED.
282 Also, adding the host:port information SHOULD be avoided unless there are more
283 than one ldap module instances in which case the host,port information can be
284 used to distinguish which module will actually return the information (the
285 xlat function will return NULL if the host,port information does not
286 correspond to the configured attributes). If there are more than one
287 instances the module instance name can be used instead of the string 'ldap'
288 before the ldap url to decide which instance will return the information.
289 That is the xlat string will be of the form:
291 %{$instance_name:ldap:///dc=comapny,dc=com?uid?sub?uid=%u}
293 i.e.: ${ldap_company1:ldap:///dc=company1,dc=com?uid?sub?uid=%u}
296 USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it
297 is set, it will assume that it contains the DN of a profile entry containing
298 radius attributes. This entry will _replace_ the default profile directive.
299 That way we can use different profiles based on checks on the radius
300 attributes contained in the Access-Request packets. For example (users file):
302 DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
305 GROUP SUPPORT: The module supports searching for ldap groups by use of the
306 Ldap-Group attribute. As long as the module has been instanciated it can be
307 used to do group membership checks through other modules. For example in the
310 DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
311 Reply-Message = "Sorry, you are not allowed to have dialup access"
313 DNs are also accepted as Ldap-Group values, i.e.:
315 DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject
316 Reply-Message = "Sorry, you are not allowed to have dialup access"
320 Also if you are using multiple ldap module instances a per instance
321 Ldap-Group attribute is registered and can be used. It is of the form
322 <instance_name>-Ldap-Group. In other words if in radiusd.conf we
323 configure an ldap module instance like:
325 ldap myname { [...] }
327 we can then use the myname-Ldap-Group attribute to match user
328 groups. Make sure though that the ldap module is instantiated *before*
329 the files module so that it will have time to register the
330 corresponding attribute. One solution would be to add the ldap module
331 in the instantiate{} block in radiusd.conf
335 When rlm_ldap has found the DN corresponding to the username provided
336 in the access-request (all this happens in the authorize section) it
337 will add an Ldap-UserDN attribute in the check items list containing
338 that DN. The attribute will be searched for in the authenticate
339 section and if present will be used for authentication (ldap bind with
340 the user DN/password). Otherwise a search will be performed to find
341 the user dn. If the administrator wishes to use rlm_ldap only for
342 authentication or does not wish to populate the identity,password
343 configuration attributes he can set this attribute by other means and
344 avoid the ldap search completely. For instance it can be set through
345 the users file in the authorize section:
347 DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
350 DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
351 authentication (e.g. you can not afford schema extention), I propose to set
352 all necessary attributes in raddb/users file with following authorize section
355 authorize { ldap { notfound = return } files }